· Compatibility with native Windows MSTSC client for RDP without the need for any custom clients.

· Use of existing Microsoft-provided RDP client on MACOSX, iOS, and Android.

Deployment Overview

The RDP Proxy functionality is provided as part of the NetScaler Gateway. In a typical deployment, the RDP client runs on a remote user’s machine. The NetScaler Gateway appliance is deployed within the DMZ, and the RDP server farm is in the internal corporate network. The remote user connects to the NetScaler Gateway public IP address, establishes a SSL VPN connection, and authenticates himself/herself, after which he or she can access the Remote desktops through the NetScaler Gateway appliance.

The RDP-proxy feature is supported in CVPN and ICAProxy modes.

Deployment Through CVPN

In this mode the RDP links are published on the Gateway home page or portal, as bookmarks, through the ‘add vpn url’ configuration or through external portal. The user can click on these links to get access to the Remote Desktop.

Deployment Through ICAProxy

In this mode a custom home page is configured on the Gateway VIP by using the wihome parameter. This home page can be customized with the list of Remote desktop resources that the user is allowed to access. This custom page can be hosted on NetScaler, or if external, it can be an iFrame in the existing Gateway portal page.

In either mode, after the user clicks the provisioned RDP link or icon, an HTTPS request for the corresponding resource arrives at the NetScaler Gateway. The Gateway generates the RDP file content for the requested connection and pushes it to the client. The native RDP client is invoked, and it connects to an RDP listener on Gateway. Gateway does SSO to the RDP server by supporting enforcement (smart access), in which the gateway blocks client access to certain RDP features, based on the NetScaler configuration, and then it proxies the RDP traffic between the RDP client and the server.

Enforcement Details

The NetScaler administrator can configure certain RDP capabilities through NetScaler Gateway configuration. NetScaler Gateway provides the “RDP enforcement” feature for important RDP parameters. NetScaler ensures that the client cannot enable blocked parameters. If the blocked parameters are enabled,the RDP enforcement feature supersedes the client-enabled parameters, and they are not honored.

Supported RDP Parameters for Enforcement

Enforcement for following redirection parameters is supported. These are configurable as part of an RDP client profile.

· Redirection of ClipBoard

· Redirection of Printers

· Redirection of Disk Drives

· Redirection of COM ports

· Redirection of pnp devices

Connection Flow

Connection flow can be divided into two steps:

· RDP resource enumeration and RDP file download.

· RDP Connection launch.

Based on the above connection flow, there are two deployment solutions:

Stateless (Dual) Gateway Compatibility

• User connects to the Authenticator Gateway VIP and provides his or her credentials.

• After successful login to the Gateway, user is redirected to the home page or external portal, which enumerates the remote desktop resources that the user can access.

• Once the user selects an RDP resource, a request is received by the Authenticator Gateway VIP, in the format https://vserver-vip/rdpproxy/rdptarget/listener indicating the published resource that the user clicked. This request has the information about the IP address and port of the RDP server that the user has selected.

• The /rdpproxy/ request is processed by the Authenticator Gateway. Since the user is already authenticated, this request comes with a valid Gateway cookie.

• The RDPTarget and RDPUser information is stored on the STA server, and an STA Ticket is generated. The information stored on the STA server is encrypted by using the configured pre-shared key. The Authenticator Gateway uses one of the STA servers that is configured on the Gateway Vserver.

• The ‘Listener’ info obtained in the /rdpproxy/ request is put into the .rdp file as the “fulladdress,” and the STA ticket (pre-pended with the STA AuthID) is put into the .rdp file as the “loadbalanceinfo.”

• The .rdp file is sent back to the client end-point.

• The native RDP client launches and connects to the RDPListener Gateway. It sends the STA ticket in the initial packet.

The RDPListener Gateway validates the STA ticket and obtains the RDPTarget and RDPUser information. The STA server to be used is retrieved by using the ‘AuthID’ present in the loadbalanceinfo.

Single Gateway Compatibility

In the case of a single gateway deployment, the STA server is not required. The authenticator gateway encodes the RDPTarget and the AAA session cookie securely and sends them as the loadbalanceinfo in the .rdp file. When the RDP Client sends this token in the initial packet, the authenticator gateway decodes the RDPTarget information, looks up the session, and connects to the RDPTarget.

Support for Single Listener

• Single Listener for Both RDP and SSL Traffic.

• The RDP file download and RDP traffic can be handled through the same 2 tuple (i.e. IP and Port) on NetScaler.

Bookmark

• RDP link generation through Portal. Instead of configuring the RDP links for the user or publishing the RDP links through an external portal, you can give users an option to generate their own URL’s by providing targerIP:Port. For stateless RDP-proxy deployment, the administrator can include RDP listener information in FQDN: Port format as part of the RDP Client Profile. This is done under the rdpListener option. This configuration will be used for the RDP link generation through the portal in Dual Gateway mode.

Enter the same Pre Shared Key you configured for the RDP Client Profile. Click Create.

If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.

On the right, click Add.

Give the Bookmark a name.

For the URL, enter rdp://MyRDPServer using IP or DNS.

Check the box next to Use NetScaler Gateway As a Reverse Proxy and click Create.

Create more bookmarks as desired.

Create or edit a session profile or policy.

On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.

On the Remote Desktop tab, select the RDP Client Profile you created earlier.

If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.

On the Published Applications tab, make sure ICA Proxy is OFF.

Modify or Create your Gateway Virtual Server.

In the Basic Settings section, click More.

Use the RDP Server Profile drop-down to select the RDP Server Profile you created earlier.

Scroll down. Make sure ICA Only is not checked.

Bind a certificate.

Bind authentication policies.

Bind the session policy/profile that has the RDP Client Profile configured.

You can bind Bookmarks to either the NetScaler Gateway virtual server or to an AAA group. To bind to the NetScaler Gateway virtual server, on the right, in the Advanced Settings section, click Published Applications.

If you want to connect to RDP servers by using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).

If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).

Connect to your Gateway and log on.

If you configured Bookmarks, click the Bookmark.

You can change the address bar to /rdpproxy/MyRDPServer. You can enter an IP address (e.g. rdpproxy/192.168.1.50) or DNS name (/rdpproxy/myserver).

Open the downloaded .rdp file.

You can view the currently connected users by going to NetScaler Gateway Policies > RDP. On the right is the Connections tab.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.